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1 Introduction 



This report contains two related sets of results with different assumptions on synchrony. The 
first part is about iterative algorithms in synchronous systems. Following our previous work on 
synchronous iterative approximate Byzantine consensus (lABC) algorithms [6j, we provide a more 
intuitive tight necessary and sufficient condition for the existence of such algorithms in synchronous 
network^. We believe this condition and the results in [6J also hold in partially asynchronous 
algorithmic model introduced in [2]. 

In the second part of the report, we explore the problem in asynchronous networks. While the 
traditional Byzantine consensus is not solvable in asynchronous systems [5J , approximate Byzantine 
consensus can be solved using iterative algorithms [2]. 



2 Preliminaries 



In this section, we present the network and failure models that are common to both parts. 



2.1 Network Model 



The network is modeled as a simple directed graph G{V,£), where V = {1, . . . , n} is the set of n 
nodes, and £ is the set of directed edges between nodes in V. With a slight abuse of terminology, 
we use the terms "edge" and "link" interchangeably. We assume that n > max(2,3/ + 1), since 
the consensus problem for n = 1 is trivial. If a directed edge G £, then node i can reliably 
transmit to node j. For convenience, we exclude self-loops from £, although every node is allowed 
to send messages to itself. We also assume that all edges are authenticated, such that when a node 
j receives a message from node i (on edge {i,j)), it can correctly determine that the message was 
sent by node i. For each node i, let N~ be the set of nodes from which i has incoming edges. That 
is, N~ = {j I {j,i) ^ £}. Similarly, define A''^^ as the set of nodes to which node i has outgoing 
edges. That is, N^^ = {j \ {hi) ^ £}■ By definition, i and i . However, we emphasize 
that each node can indeed send messages to itself. 



2.2 Failure Model 



We consider the Byzantine failure model, with up to / nodes becoming faulty. A faulty node may 
misbehave arbitrarily. Possible misbehavior includes sending incorrect and mismatching messages 
to different neighbors. The faulty nodes may potentially collaborate with each other. Moreover, 
the faulty nodes are assumed to have a complete knowledge of the state of the other nodes in the 
system and a complete knowledge of specification of the algorithm. 



With a slight abuse of terminology, we use "systems" and "networks" interchangeably in this report. 
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Part I: Synchronous Networks 
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Synchronous Networks 



The network is assumed to be synchronous. This report provides a more intuitive condition that is 
equivalent to our original necessary and sufficient condition introduced in Theorem 1 of [6]. Note 
that the discussion in this part is not self-contained, and relies heavily on the material and notations 
in [6]. 

3 More Intuitive Necessary and Sufficient Condition 

For completeness, we state the tight condition from our previous report [6] here again: 

Theorem 1 Suppose that a correct lABC algorithm exists for G(V, <5). Let sets F,L,C,R form a 
partitioi^ ofV, such that L and R are both non-empty, and F contains at most f nodes. Then, at 
least one of these two conditions must be true: (i) C U R ^ L, or (ii) LU C ^ i?Jl 

This condition is not very intuitive. In Theorem [2] below, we state another tight necessary and 
sufficient condition that is equivalent to the necessary condition in Theorem [H and is somewhat 
easier to interpret. To facilitate the statement of Theorem [21 we now introduce the notions of 
"source component" and "reduced graph" using the following three definitions. 

Definition 1 Graph decomposition: Let H be a directed graph. Partition graph H into strongly 
connected components, Hi,H2, ■ ■ ■ ,Hh! where h is a non-zero integer dependent on graph H, such 
that 

• every pair of nodes within the same strongly connected component has directed paths in H 
to each other, and 

• for each pair of nodes, say i and j, that belong to two different strongly connected components, 
either i does not have a directed path to j in H, or j does not have a directed path to i in H. 

Construct a graph H"^ wherein each strongly connected component Hk above is represented by vertex 
Cfc, and there is an edge from vertex ct to vertex ci only if the nodes in Hk have directed paths in 
H to the nodes in Hi. 



It is known that the decomposition graph H"^ is a directed acyclic graph [3]. 



Definition 2 Source component.- Let H be a directed graph, and let H'^ be its decomposition as 
per Definition [ij Strongly connected component H^ of H is said to be a source component if the 
corresponding vertex Ck in H'^ is not reachable from any other vertex in H'^. 



^Sets Xi, X2, X3, Xp are said to form a partition of set X provided that (i) Ui<i<pXi — X, and (ii) XiPiXj = $ 
when i ^ j. 

^Note that the notion of and "=^" (wiU be introduced in asynchronous networks part) is similar to "r-robust" 
graph presented in [7]. 
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Definition 3 Reduced Graph: For a given graph G{V,S) and F C V, a graph Gf{Vf,£f) is 
said to be a reduced graph, if: (i) Vp = V — F, and (ii) Sp is obtained by first removing from £ 
all the links incident on the nodes in F , and then removing up to f other incoming links at each 
node in Vp- 



Note that for a given G{V,£) and a given F, multiple reduced graphs Gp may exist. 



Theorem 2 Suppose that Theorem{l\ holds for graph G{V,£). Then, for any F C V such that 
\F\ < \V\ and \F\ < f, every reduced graph Gp obtained as per Definitionl^ must contain exactly 
one source component. 

Proof: Since |-F| < |V|, Gp contains at least one node; therefore, at least one source component 
must exist in Gp. We now prove that Gp cannot contain more than one source component. The 
proof is by contradiction. Suppose that there exists a set F C V with |F| < |V| and |F| < /, and 
a reduced graph Gp{Vp,£p) corresponding to F, such that the decomposition of Gp includes at 
least two source components. 

Let the sets of nodes in two such source components of Gi? be denoted L and R, respectively. 
Let C = V — F — L — R. Observe that F,L,G,R form a partition of the nodes in V. Since L is a 
source component in Gi? it follows that there are no directed links in £p from any node in C U i? 
to the nodes in L. Similarly, since R is a source component in Gp it follows that there are no 
directed links in £p from any node in L U C to the nodes in R. These observations, together with 
the manner in which £p is defined, imply that (i) there are at most / links in £ from the nodes in 
C U ii to each node in L, and (ii) there are at most / links in £ from the nodes in L U C to each 
node in R. Therefore, in graph G(y,£), C L) R ^ L and L Li G ^ R, violating Theorem [TJ Thus, 
we have proved that Gp must contain exactly one source component. □ 

The above proof shows that Theorem [1] implies Theorem [2l Now, we prove that Theorem [2] 
implies Theorem [H 

Proof: Suppose that the condition stated in Theorem [1] does not hold for G(V, <f). Thus, there 
exists a partition F,L,G,R of V such that |-F| < /, L and R are non-empty, and G Li R ^ L and 
LUG ^R. 

We now construct a reduced graph Gp{Vp,£p) corresponding to set F. First, remove all nodes 
in F from V to obtain Vp. Remove all the edges incident on F from £. Then because G Li R ^ L, 
the number of incoming edges at each node in L from the nodes in C U ii is at most /; remove all 
these edges. Similarly, for every node j G R, remove all incoming edges from L U C (there are at 
most / such edges at each node j £ R). The resulting graph Gp is a reduced graph that satisfies 
the conditions in Definition [3l 

In £p, there are no incoming edges to nodes in ii from the nodes LU G; similarly, in £p, there 
are no incoming edges to nodes L from the nodes in C U ii. It follows that no single node in Vp 
has paths in Gp (i.e., paths consisting of links in £p) to all the other nodes in V^. Thus, Gp must 
contain more than one source component. Thus, Theorem [2] does not hold for G{V,£). □ 
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By two results above, it follows that Theorems [T] and [2] specify equivalent conditionso 

Next, we present a weaker necessary conditions derived from Theorem [2] that implies the prop- 
erty of the source component. 



Corollary 1 Suppose that Theorem[l\ holds for graph G{V,£). Then, for any F C V such that 
\F\ < /, the unique source component in every reduced graph Gp must contain at least / + ! nodes. 

Proof: The proof is by contradiction. Suppose that there exists a set F with 1^1 < /, and a 
corresponding reduced graph Gf{Vf^£f), such that the decomposition of Gp contains a unique 
source component consisting of at most / nodes. Define L to be the set of nodes in this unique 
source component. Also define G = ^ and R = V — L — F — G . Observe that F,L,G,R form a 
partition of V. 

Since |L U C| = \L\ < f, it follows that in graph G{V, £), L U G R, Then Theorem [1] implies 
that, in graph G(V, £), G U R ^ L. That is, since G = ^, R ^ L, and there must be a node in L, 
say node i, that has at least / + 1 links in £ from the nodes in R. Since i S L, it follows that i ^ F 
(by definition of =^). Also, since i has at least / + 1 incoming edges in £ from nodes in R, it follows 
that in £f, node i must have at least one incoming edge from the nodes in R. This contradicts 
that assumption that set L containing node i is a source component oi Gp- n 

Note that this Corollary implies that for the correctness of lABC on the graph, the graph must 
have a component that acts as a source with at least / + 1 nodes and thus outnumbers the faulty 
nodes. 

For a "local" fault model under the constraint that fault nodes send identical messages to their 
outgoing neighbors, Zhang and Sundaram [7j showed sufficiency of a graph property similar to the 
condition above, although they do not prove that the sufficient condition is also necessary. Also, 
our fault model does not impose the above constraint on the faulty nodes. 

4 Partially Asynchronous Algorithmic Model 

[2] (Chapter 7) presents a Partially Asynchronous Algorithmic Model, in which an iterative algo- 
rithm analogous to Algorithm 1 ^ is used to solve iterative consensus with zero faults, with the 
following modifications: 

• Each node may not necessarily update its state in each iteration. However, each node updates 
its state at least once in each set of consecutive B iterations, where S is a finite positive integer 
constant and is known to all nodes in advance. 

• If node i updates its state in iteration t, due to message delays, node i may not necessarily 
be aware of the most recent state (i.e., at the end of the previous iteration) of its incoming 
neighbors. However, node i will know the state of each incoming neighbor at the end of at 

^ An alternate interpretation of the condition in Theorem [5] is that in graph G f non- fault-tolerant iterative con- 
sensus must be possible. 
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least one of the B previous iterationqfl; the most recent state known is used in performing 
state update at node i. 

We beheve that the necessary and sufficient conditions for the lABC algorithm under partially 
asynchronous algorithmic model are identical to the necessary and sufficient conditions presented 
above and in [6j for the synchronous model. We expect that the proof is similar to the proof 
presented in [6j. 



^If node i does not receive new values from some incoming neighbor j in the past B consecutive iterations, then 
by the model definition, node i knows j is faulty. 
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Part II: Asynchronous Networks 
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Asynchronous Networks 



In this part, we consider the iterative consensus problem in asynchronous networks. We wih follow 
the definition of asynchronous system used in [4]. Each node operates at a completely arbitrary 
rate. Furthermore, the link between any pair of nodes suffers from an arbitrary but finite network 
delajlfl and out-of-order delivery. 

Now, we introduce the class of algorithms that we will explore in this report. 

5 Asynchronous Iterative Approximate Byzantine Consensus 

Algorithm Structure By the definition of asynchronous systems, each node proceeds at different 
rate. Thus, Dolev et al. developed an algorithm based on "rounds" such that nodes update once 
in each round [1]. In particular, we consider the structure of Async-IABC Algorithm below, which 
has the same structure as the algorithm in [3]. This algorithm structure differs from the one for 
synchronous systems in [6] in two important ways: (i) the messages containing states are now 
tagged by the round index to which the states correspond, and (ii) each node i waits to receive only 
\N~\ — f messages containing states from round t — 1 before computing the new state in round t. 

Due to the asynchronous nature of the system, different nodes may potentially perform their 
t-th round at very different real times. Thus, the main difference between iteration and round is 
as following: 

• Iteration is defined as fixed amount of real-time units. Hence, every node will be in the same 
iteration at any given real time. 

• Round is defined as the time that each node updates its valu^. Hence, every node may be 
in totally different rounds at any given real time in asynchronous systems. 

In Async-IABC algorithm, each node i maintains state Vi, with Vi[t] denoting the state of node 
i at the end of its t-th round. Initial state of node i, Vi[0], is equal to the initial input provided to 
node i. At the start of the t-th round (t > 0), the state of node i is Vi[t — 1]. Now, we describe the 
steps that should be performed by each node i € V in its t-th round. 

Async-IABC Algorithm 



1. Transmit step: Transmit current state Vi[t — 1] on all outgoing edges. The message is tagged 
by index t — 1. 

2. Receive step: Wait until the first |A^;~| — / messages tagged by index t — 1 are received on 
the incoming edges (breaking ties arbitrarily). Values received in these messages form vector 
rj[t] of size \Nf \ — f- 

3. Update step: Node i updates its state using a transition function Zj. 

Zi is a part of the specification of the algorithm, and takes as input the vector ri[t] and state 
^;i[t-l]. 

®The delay can also be variable. 

^With a slight abuse of terminology, we will use "value" and "state" interchangeably in this report. 
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Vi[t] = Zi ( Tilt] , V,[t - I] ) 



(1) 



We now define U[t] and ^[t], assuming that is the set of Byzantine faulty nodes, with the 
nodes in V — being non- faultyll 

• U[t] = maxjgv-J" Vi[t]. U[t] is the largest state among the fault-free nodes at the end of the 
i-th round. Since the initial state of each node is equal to its input, U[0] is equal to the 
maximum value of the initial input at the fault-free nodes. 

• = minjgv„jr Vi[t]. ^[t] is the smallest state among the fault-free nodes at the end of the 
t-th. round. fi[0] is equal to the minimum value of the initial input at the fault-free nodes. 

The following conditions must be satisfied by an Async-IABC algorithm in the presence of up 
to / Byzantine faulty nodes: 

• Validity: \ft > 0, fi[t] > fi[t - 1] and U[t]<U[t- 1] 

• Convergence: limt^ca U[t] - fi[t] = 

The objective in this report is to identify the necessary and sufficient conditions for the existence 
of a correct Async-IABC algorithm (i.e., satisfying the above validity and convergence conditions) 
for a given G{V, 8) in any asynchronous system. 

5.1 Notations 

There are many notations used and will be introduced later in this part of the report. Here is a 
quick reference: 

• ,N^: set of outgoing neighbors and incoming neighbors of some node respectively. 

• [/[t], /x[t]: maximum value and minimum value of all the fault-free nodes at the end of round 
t, respectively. 

• Zi'. a, function specifying how node i updates its new value (algorithm specification). 

• N®\t\: set of incoming neighbors from whom node i actually received values at round t > 1. 

• r j [t] : set of values sent by N® [t] . 

• iV*[t]: set of incoming neighbors from whom node i actually used the values to update at 
round t>l. 

Note that by definition we have the following relationships: N*\t] C N'^\t\ C A'^^^. Moreover, 
N*[t\ and Nf^[t\ may change over the rounds, and is a constant. Lastly, |A^®[t]| = |A^~| — 2/ 
and \N*[t] \ = \N^[t\ \ - f for any round t > 1. 

®For sets X and Y , X — Y contains elements that are in X but not in Y. That is, X — Y = 
{i\ieX, i^Y}. 
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6 Necessary Condition 



In asynchronous systems, for an Async-IABC algorithm satisfying the the validity and convergence 
conditions to exist, the miderlying graph G{V,£) must satisfy a necessary condition proved in this 
section. We now define relations =4> and ^ that are used frequently in our proofs. Note that these 
definitions are analogous to the definitions of =^ and ^ in [6]. 

Definition 4 For non-empty disjoint sets of nodes A and B, 

• B iff there exists a node v ^ B that has at least 2/ + 1 incoming links from nodes in A, 
i.e., \N- nA\ > 2/. 

• A ^ B iff A ^ B is not true. 



Now, we present the necessary condition for correctness of Async-IABC in asynchronous sys- 
tems. Note that it is similar to that for synchronous systems [6|, but with replaced by =>. 

Theorem 3 Let sets F, L, C, R form a partition ofV, such that 

• 0< |F| </, 

• < \L\, and 

• Q<\R\ 

Then, at least one of the two conditions below must be true. 

• CUR^L 

• LUC ^R 

Proof: The proof is by contradiction. Let us assume that a correct Async-IABC consensus 
algorithm exists, and CUR^ L and LuC ^ R. Thus, for any i G L, \Nr n {C U R)\ < 2f + I, 
and for any j G R, |iVr n [L U C)\ < 2f + I, 

Also assume that the nodes in F (if F is non-empty) are all faulty, and the remaining nodes, in 
sets L, R, C, are fault-free. Note that the fault-free nodes are not necessarily aware of the identity 
of the faulty nodes. 

Consider the case when (i) each node in L has input m, (ii) each node in R has input M, such 
that M > m, and (iii) each node in C, if C is non-empty, has an input in the range [m, M]. 

At the start of round 1, suppose that the faulty nodes in F (if non-empty) send m~ < m to 
outgoing neighbors in L, send > M to outgoing neighbors in R, and send some arbitrary value 
in [m, M] to outgoing neighbors in C (if C is non-empty). This behavior is possible since nodes in 
F are faulty. Note that < m < M < . Each fault-free node k — J-, sends to nodes in 

value ffc[0] in round 1. 

Consider any node i £ L. Denote = N' n (C U R). Since C U R ^ L, \N^\ < 2f. 
Consider the situation where the delay between certain w = min(/, |A^j'|) nodes in N- and node i 
is arbitrarily large compared to all the other traffic (including messages from incoming neighbors 
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in F). Consequently, rj[l] includes \N-\ — w < f values from A^^', since w messages from A^^' are 
delayed and thus ignored by node i. Recall that A^®[1] is the set of nodes whose round 1 values are 
received by node i in time (i.e., before i finishes step 2 in Async-IABC). By the argument above, 

N®[i]nN^<f. 

Node i receives m" from the nodes in FnN®[l], values in [m, M] from the nodes in A^^- n Ar®[l], 
and m from the nodes in {i} U (L fl Ar®[l]). 

Consider four cases: 

• Fn A^®[1] and N^nNpll] are both empty: In this case, all the values that i receives are from 
nodes in {i} U (L fl A^® [1]), and are identical to m. By validity condition, node i must set its 
new state, Vi[l], to be m as well. 

• F n ATf [1] is empty and Np[l] is non-empty: In this case, since |A/"- C Np[l\\ < /, from 

i's perspective, it is possible that all the nodes in A'j®[l] fl N- are faulty, and the rest of the 
nodes arc fault-free. In this situation, the values sent to node i by the fault-free nodes (which 
are all in {i}U (Ln A'^® [1])) are all m, and therefore, ^,[1] must be set to m as per the validity 
condition. 

• Fn N®[1] is non-empty and A^/ n N®[1] is empty: In this case, since |F n iVf[l]| < /, it 
is possible that all the nodes in F n N®[1] are faulty, and the rest of the nodes are fault- 
free. In this situation, the values sent to node i by the fault-free nodes (which are all in 
{i}U{LriN®[l])) are all m, and therefore, Vi[l] must be set to m as per the validity condition. 

• Both F n A^®[1] and N- n A'^j®[l] are non-empty: From node i's perspective, consider two 
possible scenarios: (a) nodes in F n A''®[1] are faulty, and the other nodes are fault-free, and 
(b) nodes in A^^' fl A'j®[l] are faulty, and the other nodes are fault-free. 

In scenario (a), from node i's perspective, the non-faulty nodes have values in [m, M] whereas 
the faulty nodes have value in~. According to the validity condition, Vi[l] > m. On the 
other hand, in scenario (b), the non-faulty nodes have values m~ and m, where m~ < m; 
so Vi[l] < m, according to the validity condition. Since node i does not know whether the 
correct scenario is (a) or (b), it must update its state to satisfy the validity condition in both 
cases. Thus, it follows that Vi[l] = m. 

Observe that in each case above ^^[l] = m for each node i € L. Similarly, we can show that 
Vj [1] = M for each node j G R. 

Now consider the nodes in set C, if C is non-empty. All the values received by the nodes in C 
are in [m,M], therefore, their new state must also remain in [m, M], as per the validity condition. 

The above discussion implies that, at the end of the first iteration, the following conditions hold 
true: (i) state of each node in L is m, (ii) state of each node in R is M, and (iii) state of each node 
in C is in [m, M]. These conditions are identical to the initial conditions listed previously. Then, 
by induction, it follows that for any t > 0, Vi[t] = m,yi G L, and Vj[t] = M,\fj G R. Since L and 
R contain fault-free nodes, the convergence requirement is not satisfied. This is a contradiction to 
the assumption that a correct Async-IABC algorithm exists. □ 

Corollary 2 Let {F, L, R} he a partition ofV, such that < [Fj < /, and L and R are non-empty. 
Then, either L ^ R or R^ L. 
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Proof: The proof follows by setting C = $ in Theorem [3l 



□ 



Corollary 3 The number of nodes n must exceed 5/ for the existence of a correct Async-IABC 
algorithm that tolerates f failures. 

Proof: The proof is by contradiction. Suppose that 2 < n < 5/, and consider the following two 
cases: 

• 2 < n < 4/: Suppose that L,R,F is a partition of V such that \L\ = [n/2] < 2/, \R\ = 
\n/2\ < 2f and F = ^. Note that L and R are non-empty, and \L\ + \R\ = n. 

• 4/ < n < 5/: 

Suppose that L,R,F is a partition of V, such that \L\ = \R\ = 2f and \F\ = n — 4/. Note 
that < [F[ < /. 

In both cases above, Corollary [2] is applicable. Thus, either L ^ R or R ^ L. For L =4> i? to be 
true, L must contain at least 2/ + 1 nodes. Similarly, for i? =4> L to be true, R must contain at 
least 2/ + 1 nodes. Therefore, at least one of the sets L and R must contain more than 2/ nodes. 
This contradicts our choice of L and R above (in both cases, size of L and i? is < 2/). Therefore, 
n must be larger than 5/. □ 



Corollary 4 For the existence of a correct Async-IABC algorithm, then for each node i (z V, 
— 3/ + 1, i-c., each node i has at least 3/ + 1 incoming links, when / > 0. 

Proof: The proof is by contradiction. Consider the following two cases for some node i: 

• \Nr\< 2f: Define set F = ^, L = {i} and R = V - F - L = V - {i}. Thus, Nr n R = Nr , 
and lA'^^^ n i?| < 2/ by assumption. 

• 2/ < \N,^\ < 3/: Define set L = {i}. Partition N^^ into two sets F and H such that \F\ = f 
and \H\ = \Nr\- f < 2f. Define R = V - F - L = V - F - {i}. Thus, Nr nR = H, and 
|A^~ n i?| < 2/ by construction. 

In both cases above, L and R are non-empty, so Corollary [2] is applicable. However, in each 
case, L = {i} and \L\ = 1 < 2f + 1; hence, L ^ R. Also, since L = {i} and |A^^ H i?| < 2/, and 
hence R ^ L hy the definition of =4>. This leads to a contradiction. Hence, every node must have 
at least 3/ -|- 1 incoming neighbors. 

□ 



7 Useful Lemmas 

In this section, we introduce two lemmas that are used in our proof of convergence. Note that 
the proofs are similar to corresponding lemmas in [6] except for the adoption of and "rounds" 
instead of and "iterations." 
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Definition 5 For disjoint sets A,B, in{A ^ B) denotes the set of all the nodes in B that each 
have at least 2/ + 1 incoming links from nodes in A. More formally, 

in{A ^ B) = {v \v e B and 2/ + 1 < jiV^" n ^| } 
With a slight abuse of notation, when A ^ B, define in{A =4> i?) = <I>. 



Definition 6 For non-empty disjoint sets A and B, set A is said to propagate to set B in 

I rounds, where I > 0, if there exist sequences of sets Aq, Ai, A2, ■ ■ ■ ,Ai and Bq, Bi, B2, ■ ■ ■ ,Bi 
(propagating sequences) such that 

• Aq = A, Bq = B, Bi = <I>, and, for t < I, Br ^. 

• for < T < I - 1, 

* Ar ^ Br, 

* Ar+i = Ar\J in{Ar =4> Br), and 

* Br+l =Br- in{Ar ^ Br) 

Observe that Ar and Br form a partition of AU B, and for t < I, in{Ar =4> Br) 7^ ^. Also, when 
set A propagates to set B, length I above is necessarily finite. In particular, / is upper bounded by 
n — 2/ — 1, since set A must be of size at least 2/ + 1 for it to propagate to B. 



Lemma 1 Assume that G{V,£) satisfies Theorem\^ Consider a partition A,B,F ofV such that 
A and B are non-empty, and \F\ < f. If B ^ A, then set A propagates to set B. 

Proof: Since A,B are non-empty, and B ^ A, hy Corollary [21 we have A^ B. 

The proof is by induction. Define Aq = A and Bq = B. Thus ^0 =^ and Bq ^ Aq. Note 
that ^0 and Bq are non-empty. 
Induction basis: For some r > 0, 

• for < A; < r, ylfc =^ Bk, and Bk ^ 

• either Br = ^ or Ar ^ Br, 

• for < A; < T, Ak+i = AkU in{Ak 4> Bk), and Bk+i = Bk - in{Ak ^ Bk) 
Since ^0 =^ ^O) the induction basis holds true for r = 0. 

Induction: If Br = then the proof is complete, since all the conditions specified in Definition [6] 
are satisfied by the sequences of sets , Ai , • • • ^Ar and Bq, Bi, - • • ,Br. 

Now consider the case when Br ^ By assumption, Ak ^ Bk, for < A; < r. Define 
Ar+i = Ar U in{Ar =4> Br) and i?r+i = Bt — in{Ar =4> Br). Our goal is to prove that either 
Br+i = <I> or Ar+i =4> Br+l- If -Br+l = then the induction is complete. Therefore, now let us 
assume that Br+i 7^ $ and prove that Ar+i =4> Br+i- We will prove this by contradiction. 

Suppose that vlr+i ^ Br+i- Define subsets L, C, R as follows: L = Aq, C = Ar+i — AQ and R = 
Br+l- Due to the manner in which A^s and B^s are defined, we also have C = Bq — Br+i- Observe 
that L, C, R, F form a partition of V, where L, R are non-empty, and the following relationships 
hold: 
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• CUR = Bo, and 

• LUC = Ar+l 

Rewriting Bq ^ Aq and Ar+i ^ -Br+i, using the above relationships, we have, respectively, 

CUR^ L, 

and 

LUC 

This violates the necessary condition in Theorem [3l This is a contradiction, completing the induc- 
tion. 

Thus, we have proved that, either (i) Br+i = or (ii) Ar+i =4> Br+i- Eventually, for 
large enough t, Bf will become resulting in the propagating sequences Aq,Ai,--- ,At and 
Bq, Bi, - ■ ■ , Bf, satisfying the conditions in Definition [6l Therefore, A propagates to B. □ 



Lemma 2 Assume that G{V,£) satisfies Theorem\^ For any partition A,B,F ofV, where A,B 
are both non-empty, and \F\ < f , at least one of the following conditions must be true: 

• A propagates to B, or 

• B propagates to A 

Proof: Consider two cases: 

• A ^ B: Then by Lemma [H B propagates to A, completing the proof. 

• A^ B: In this case, consider two sub-cases: 

— A propagates to B: The proof in this case is complete. 

— A does not propagate to B: Thus, propagating sequences defined in Definition [6] do not 
exist in this case. More precisely, there must exist A: > 0, and sets Aq,Ai,--- ,Ak and 
Bq, Bi, - ■ ■ ,Bk, such that: 

* Aq = A and Bq = B, and 

* for < i < /c — 1, 

o Ai^ Bi, 

o AiJ^i = AiU in{Ai =4* Bi), and 
o Bi+i = Bi- in{Ai =4> Bi). 

* Bk^'^ and Ak # Bk. 

The last condition above violates the requirements for A to propagate to B. 

Now Ak 7^ ^, Bk 7^ ^, and Ak,Bk, F form a partition of V. Since A^ ^ Bk, by Lemma 

m Bk propagates to Ak- 

Since Bk Bq = B, A C Ak, and Bk propagates to Ak, it should be easy to see that B 
propagates to A. 

□ 
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8 Sufficient Condition 



8.1 Algorithm 2 

We will prove that there exists an Async-IABC algorithm - particularly Algorithm 2 below - 
that satisfies the validity and convergence conditions provided that the graph G(y,8) satisfies the 
necessary condition in Theorem [3l This implies that the necessary condition in Theorem [3] is also 
sufficient. 

Algorithm 2 has the three-step structure, and it is similar to algorithms that were analyzed in 
prior work as well [U [1] (although correctness of the algorithm under the necessary condition in 
Theorem [3] has not been proved previously). 

Algorithm 2 



1. Transmit step: Transmit current state Vi[t — 1] on all outgoing edges. 

2. Receive step: Wait until receiving values on all but / incoming edges. These values form 
vector ri[t\ of size \N^\ — /H 

3. Update step: Sort the values in rj[i] in an increasing order, and eliminate the smallest / 
values, and the largest / values (breaking ties arbitrarily). Let N*[t\ denote the identifiers of 
nodes from whom the remaining A'^^" — 3/ values were received, and let Wj denote the value 
received from node j G N* . For convenience, define Wi = Vi[t — 1] to be the value node i 
"receives" from itself. Observe that if j £ {i} U N*[t] is fault-free, then Wj = Vj[t — 1]. 

Define 

Vi[t] = Zi{ri[t],Vi[t - 1]) = ^ aiWj (2) 



where 



ie{i}uAr*[i] 

1 



\Nr\ + l-3f 

Note that \N*[t]\ = \N-\ - 3/, and i N*[t] because {i,i) £. The "weight" of each term 
on the right-hand side of (l2|) is a^, and these weights add to 1. Also, < Oj < 1. For future 
reference, let us define a as: 

a = min a,- (3) 



8.2 Sufficiency 

In Theorems H] and [5] in this section, we prove that Algorithm 2 satisfies validity and convergence 
conditions, respectively, provided that G(V, £) satisfies the condition below, which matches the 
necessary condition stated in Theorem [3l 



Sufficient condition: For every partition F, L, C, R ofV, such that L and R are both non-empty, 
and F contains at most f nodes, at least one of these two conditions is true: (i) C U R ^ L, or 
(ii) LUC^R. 

®If more than \N~ \ — f values arrive at the same time, break ties arbitrarily. 
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Note that the proofs below are shnilar to the ones for synchronous systems in [6]. The main 
differences are the following: 



• We need to consider only values in A^®[t] not in N- . This is due to different step 2 between 
Algorithm 1 [6j and Algorithm 2. 

• We interpret t as round index, rather than iteration index. 



Theorem 4 Suppose that G{V, £) satisfies Theorem 0. Then Algorithm 2 satisfies the validity 
condition. 

Proof: Consider the t-th round, and any fault-free node i — J-. Consider two cases: 

• / = 0: In ([2]), note that Vi[t\ is computed using states from the previous round at node i 
and other nodes. By definition oi fi[t — 1] and ?7[t — 1], Vj[t — 1] € — 1], [/[t — 1]] for all 
fault-free nodes j G V — -F. Thus, in this case, all the values used in computing Vi\i\ are in 
the range [^[t — 1], ?7[t — 1]]. Since Vi[t] is computed as a weighted average of these values, 
Vi[t] is also within [//[t — 1], f/[t — 1]]. 

• / > 0: By Corollary H |A^-| > 3/ + 1. Thus, |iVf| > 2/ + 1, and \ri[t]\ > 2/ + 1. When 
computing set N*\i\, the largest / and smallest / values from rj[t] are eliminated. Since at 
most / nodes are faulty, it follows that, either (i) the values received from the faulty nodes 
are all eliminated, or (ii) the values from the faulty nodes that still remain are between values 
received from two fault-free nodes. Thus, the remaining values in rj[t] are all in the range 

— 1], U[t — 1]]. Also, Vi[t — 1] is in — 1], U[t — 1]], as per the definition of ^[t — 1] and 
U[t — 1]. Thus Vi[t\ is computed as a weighted average of values in [//[t — l],?7[t — 1]], and, 
therefore, it will also be in [/^[t — 1], U[t — 1]]. 

Since Vi G V — J-", Vi[t] € [^[t — 1], U[t — 1]], the validity condition is satisfied. □ 



Before proving the convergence of Algorithm 2, we first present three lemmas. In the discussion 
below, we assume that G(V, £) satisfies the sufficient condition. 

Lemma 3 Consider node i €V - T. Let ijj < ^i[t - 1]. Then, for j G {i} U N*[t], 



Vi[t] -ip>ai {wj 



Specifically, for fault-free j G {i} U N*[t\ 



Vi[t] -tp >ai {vj[t 



1]-V) 
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Proof: In ([2]), for each j € consider two cases: 

• Either j = i or j G N*[t] Ci {V — T): Thus, j is fault-free. In this case, Wj = Vj[t — 1]. 
Therefore, iJ.[t - 1] < wj < U[t - 1]. 

• j is faulty: In this case, / must be non-zero (otherwise, all nodes are fault-free). From 
Corollary H |iVr| > 3/ + 1. Thus, |iVf | > 2/ + 1, and \ri[t]\ > 2/ + 1. Then it follows that 
the smallest / values in ri[t] that are eliminated in step 2 of Algorithm 2 contain the state 
of at least one fault-free node, say k. This implies that Vk[t — 1] < Wj. This, in turn, implies 
that — 1] < Wj. 

Thus, for ah j G {i} U N*[t\, we have i2[t - 1] < wj. Therefore, 

Wj-i>>0 for ah j G {i} U N* [t] (4) 

Since weights in Equation [2] add to 1, we can re-write that equation as, 

Vi[t]-tp = ^ ai{wj-ip) (5) 

je{i}UN*[t] 

> Ui {wj - t/j), Vj G {i} U N*[t] from 
For non-faulty j G {i} U N*[t], Wj = Vj[t — 1], therefore, 

Vi[t]-'ijj > ai {vj[t - 1] - i;) (6) 

□ 



Similar to the above result, we can also show the following lemma: 

Lemma 4 Consider node i eV - T. Let ^ >U[t - 1]. Then, for j G {i} U N*[t], 

^-Vi[t] >ai i^-Wj) 
Specifically, for fault-free j G {i} U Nl[t], 

"^-Viit] > ai {^-Vj[t-l]) 



Then we present the main lemma used in proof of convergence. Note that below, we use 
parameter a defined in Recall that in ([2|) in Algorithm 2, Oj > for all i, and thus, a > 0. 



Lemma 5 At the end of the s-th round, suppose that the fault-free nodes in V — J- can be partitioned 
into non-empty sets R and L such that (i) R propagates to L in I rounds, and (ii) the states of 
nodes in R are confined to an interval of length < . Then, 

U[s + I] - fi[s + l]<(l-^\ {U[s] - (7) 
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Proof: Since R propagates to L, as per Definition [6l there exist sequences of sets Rq^ Ri,- " 
and Lq, Li, - ■ ■ , L^, where 

• Ro = R, Lq = L, Li = <i>, for < r < /, / and 

• for < T < / - 1, 

* Rr ^ Lr, 

* Rr+i = i?r U in{Rr =4> Lr), and 

* Lr+l = Lr — in{Rr 4> Lr) 

Let us define the following bounds on the states of the nodes in R at the end of the s-th round: 

M = maxj^^Vjls] (8) 
m = mirij^R Vj[s\ (9) 

By the assumption in the statement of Lemma [5l 

U\s\ — u\s\ , , 

M -m< (10) 

Also, M < U[s] and m > fj,[s]. Therefore, U[s] — M > and m — fi[s] > 0. 

The remaining proof of Lemma [5] relies on derivation of the three intermediate claims below. 



Claim 1 For < t < I, for each node i € Rr, 

Vi[s + t] - ii[s\ > {m - ^[s]) (11) 

Proof of ClaimUl- The proof is by induction. 

Induction basis: For some r, < r < for each node i E Rr, (jlip holds. By definition of m, 
the induction basis holds true for r = 0. 

Induction: Assume that the induction basis holds true for some r, < r < /. Consider Rr+i- 
Observe that Rr and Rr+i — Rt form a partition of Rr+i] let us consider each of these sets 
separately. 

• Set Rr'- By assumption, for each i £ Rr, pT]) holds true. By validity of Algorithm 2, 
f^[s] < fJ-[s + r]. Therefore, setting = fi[s] in Lemma El we get, 

Vi[s + T + 1] - fi[s] > Oi {vi[s + t] - fi[s]) 

> Oi a^{m — /u[s]) due to pT]) 

> a^+^(m - /x[s]) due to da]) 

• Set Rr+i — Rt- Consider a node i € Rr+i — Rr- By definition of Rr+i, we have that 
i G in{Rr =4> Lr). Thus, 

\Nr nRr\ > 2/ + 1 

It follows that 
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\NP[s + T]nRr\ >/ + l 

In Algorithm 2, 2/ values (/ smallest and / largest) received by node i are eliminated before 
z;j[s + r + 1] is computed at the end of (s + r + l)-th round. Consider two possibilities: 

— Value received from one of the nodes in N® [s + r] n Rr is not eliminated. Suppose that 
this value is received from fault-free node p G Np[s + r] R Rr- Then, by an argument 
similar to the previous case, we can set ip = ij,[s] in Lemma [3l to obtain, 

Vi[s + T + 1] - fi[s] > ai {vp[s + t] - fi[s]) 

> ai a^{m — /u[s]) due to pT]) 

> a^+^(m - due to © 

— Values received from all (there are at least / + !) nodes in N®[s + t] HRt are eliminated. 
Note that in this case / must be non-zero (for / = 0, no value is eliminated, as already 
considered in the previous case). By Corollary [U we know that each node must have at 
least 3/ + 1 incoming edges. Thus, Nplt + r] > 2/ + 1. Since at least / + 1 values from 
nodes in N®[t + t] D Rr are eliminated, and there are at least 2/ + 1 values to choose 
from, it follows that the values that are not eliminated are within the interval to which 
the values from Np [s + t] n Rr belong. Thus, there exists a node k (possibly faulty) 
from whom node i receives some value Wk - which is not eliminated - and a fault-free 
node p e N®[t + t] n Rr such that 

Vp[s + T] < Wk (12) 

Then by setting ip = ij,[s] in Lemma [3] we have 

Vi[s + T + 1] - fj,[s] > ai {wk - fJ.[s]) 

> Qi {vp[s + t] — /i[s]) due to (fT2]) 

> Cj a'^{m — /i[s]) due to ([TT]) 

> a'^+^im- fi[s]) due to da]) 

Thus, we have shown that for all nodes in Rr+i, 

Vi[s + T + 1]- fi[s] > a^+^(m - n[s]) 
This completes the proof of Claim [TJ 



Claim 2 For each node i — J- , 

Vi[s + l]- iJ,[s\>a\m- ijl[s\) (13) 

Proof of Claim [IJ- 

Note that by definition, Ri = V — J-. Then the proof follows by setting t = I in the above Claim 

m 

By a procedure similar to the derivation of Claim [2] above, we can also prove the claim below. 
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Claim 3 For each node i (z V — J-, 

U[s]-Vi[s + l] > a^{U[s]-M) 



(14) 



Now let us resume the proof of the Lemma O Note that Ri = V — J-. Thus, 

< U[s] - a^{U[s] -M) by (HH) (15) 



U\s + V\ = max vAs + l] 



and 



u\s + V\ = min vAs + l] 



> ii[s] + {m - ^[s]) by ([13]) (16) 

Subtracting (fT6]l from (fTSl) . 



U[s + I] - n[s + I] < U[s] - a\U[s] - M) - fi[s] - a\m - fi[s]) 

= (1 -a')(?7[s] -/x[s]) +a'(M-m) (17) 

< (i-«')(^M-/xM) + «' ^M-^M hym (18) 

< (l-y)(t/W-/^W) (19) 



This concludes the proof of Lemma [5j 



□ 



Now, we are able to prove the convergence of Algorithm 2. Note that this proof is essentially 
identical to the synchronous case [6]. 

Theorem 5 Suppose that G{V,£) satisfies Theorem\^ Then Algorithm 2 satisfies the convergence 
condition. 

Proof: Our goal is to prove that, given any e > 0, there exists r such that 

U[t] - ii[t\ < e Vt > r (20) 

Consider the s-th round, for some s > 0. If U[s\ — = 0, then the algorithm has already 
converged, and the proof is complete, with r = s. 

Now consider the case when U[s\ — /i[s] > 0. Partition V — J- into two subsets, A and B, such 



that, for each node i ^ A, vAs] G 



^[sl m+lM \ , and for each node j G B, Vj[s] G m±W£i, U[s 



u[s\+^l[s 



By definition of and U[s], there exist fault-free nodes i and j such that Vi[s\ = /i[s] and 
Vj\s\ = U[s\. Thus, sets A and B are both non-empty. By Lemma [2l one of the following two 
conditions must be true: 

• Set A propagates to set B. Then, define L = B and R = A. The states of all the nodes in 
R = A are confined within an interval of length < ~ /^^[s] < L!l£LiiM , 
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Set B propagates to set A. Then, define L = A and R = B. In this case, states of all the 

2 — 2 



nodes m R = B are confined within an interval of length < U[s\ — < ^^^^ ^^^^ 



In both cases above, we have found non-empty sets L and R such that (i) L, ii is a partition 
of V — J^, (ii) R propagates to L, and (iii) the states in R are confined to an interval of length 
< ifc^. Suppose that R propagates to L in l{s) steps, where l{s) > 1. By Lemma [5l 

U[s + l{s)] - ^i[s + l{s)] <(^- {U[s] - (21) 

Since n - / - 1 > l{s) > 1 and < a < 1, < (^1 - < 1. 

Let us define the following sequence of iteration indiceJ^: 

• To = 0, 

• for i > 0, Ti = Ti-i + Z(rj_i), where l{s) for any given s was defined above. 

By repeated application of the argument leading to (pT|) . we can prove that, for i > 0, 



u[n] - < ( uu ( 1 - ^V- ) ) (^[0] - ^[0]) (22) 



For a given e, by choosing a large enough i, we can obtain 



n;.=i(i-^-^) ) (t/[o]-^[o])<6 



and, therefore, 

U[Ti] - fi[Ti] < e (23) 
For t > Ti, by validity of Algorithm 1, it follows that 

U[t] - fi[t] < U[Ti] - fi[Ti] < e 
This concludes the proof. □ 

9 Conclusion 

In this report, we present two sets of results. First, we prove another necessary and sufficient 
condition for the existence of synchronous lABC in arbitrary directed graphs. The condition is 
more intuitive than the one in [6]. We also believe that the results can be extended to partially 
asynchronous algorithmic model presented in [2]. In the second part, we extend our earlier results 
to asynchronous systems. 



^"Without loss of generality, we assume that U[Ti\ — /i[ri] > 0. Otherwise, the statement is trivially true due to the 
validity shown in Theorem 2] 
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